Attackers are blending spearphishing with cloud infrastructure, using Azure Blob Storage to mask command-and-control traffic and evade traditional defenses. In recent incidents tracked by cyware.com, a single ZIP attachment can open the door to persistent espionage across government, research, and financial networks in the Czech Republic and Taiwan.

A ransomware operation is turning credential theft and SMB lateral movement into network-wide outages, as the Gentlemen group expands its affiliate model. With command-line options like --full and --spread, a single breach can lock down entire organizations across North America and Europe, disrupting schools, hospitals, and financial services.

A data breach at Carnival Corporation has exposed nearly 6 million individuals to identity theft and fraud, after attackers used social engineering to access sensitive passenger information. The fallout includes years of potential scams and a 24-month credit monitoring offer for those affected.

Top Malware Reported in the Last 24 Hours

Operation Dragon Weave

Operation Dragon Weave is a China-linked espionage campaign that leverages Azure Blob Storage as its command-and-control channel. Operation Dragon Weave chains spearphishing emails with ZIP attachments, LNK files, and executables to initiate infection, then uses VBScript and PowerShell droppers to stage payloads. Operation Dragon Weave deploys RUSTCLOAK and AZUREVEIL components, running heavily encrypted code in memory and providing operators with 36 commands for file operations and network pivoting. Operation Dragon Weave uses spearphishing for initial access and blends malicious traffic into everyday cloud activity. Operation Dragon Weave targets government, public sector, research, academia, technology, and financial services in the Czech Republic and Taiwan. Seqrite mapped the activity to MITRE ATT&CK techniques and recommends monitoring Azure Blob Storage access patterns and blocking identified indicators.

Gentlemen Ransomware

Gentlemen is a Go-based ransomware strain designed to propagate across networks and encrypt systems organization-wide. Gentlemen leverages harvested credentials and SMB for lateral movement, and can be launched with command-line options such as --full to widen encryption and --spread to propagate further. Gentlemen requires a password via the --password argument to restrict use to affiliates. Gentlemen shifted from a closed operation to a ransomware-as-a-service model, recruiting via BreachForums. Gentlemen impacts schools, healthcare, transportation, and financial organizations, causing operational downtime and data loss. CSO Online reports Gentlemen has been active from mid-2025 through 2026, with incidents across North America and Europe.

FortiClient EMS Infostealer via CVE-2026-35616

CVE-2026-35616 is a critical vulnerability in FortiClient EMS that attackers exploit to push malware disguised as a Fortinet patch. CVE-2026-35616 enables unauthenticated arbitrary code or command execution on the FortiClient server, allowing attackers to send malicious PowerShell commands to managed endpoints. CVE-2026-35616 delivers an infostealer targeting sensitive data in Google Chrome, Microsoft Edge, and Mozilla Firefox, leading to stolen logins, session cookies, and credit card details. CVE-2026-35616 is actively exploited in the wild. Seqrite and Fortinet recommend immediate patching and monitoring for malicious update activity.

Top Vulnerabilities Reported in Last 24 hours

CVE-2026-35616: FortiClient EMS Remote Code Execution

CVE-2026-35616 is a remote code execution vulnerability in FortiClient EMS with a critical CVSS score. CVE-2026-35616 allows attackers to execute arbitrary code or commands on FortiClient servers, enabling malware distribution disguised as legitimate patches. CVE-2026-35616 is already being exploited in the wild. Researchers observed attackers using the FortiClient management channel to run malicious PowerShell commands on endpoints. Fortinet has released a patch, and organizations should update immediately to prevent browser data theft and financial fraud.

CVE-2026-4480: Samba Print Server Remote Code Execution

CVE-2026-4480 is a critical remote code execution vulnerability in Samba print servers. CVE-2026-4480 enables unauthenticated attackers to execute code remotely by abusing custom print commands with the %J substitution. CVE-2026-4480 has not yet been exploited in the wild. SafeBreach, ZeroPath, and Securin Labs discovered the issue, warning that guest printing configurations are especially at risk. Patches are available in Samba 4.22.10, 4.23.8, and 4.24.3, and administrators should update immediately to secure exposed print servers.

Chrome 148: 22 Critical Vulnerabilities Patched

Chrome 148 addresses 151 security vulnerabilities, including 22 rated critical, with a focus on memory-safety flaws. Chrome 148 fixes issues such as CVE-2026-9872 (GPU out-of-bounds write) and CVE-2026-9873 (Network use-after-free), which could allow attackers to escape the browser sandbox and run code on user systems. Chrome 148 has not seen active exploitation of these vulnerabilities. Google credited external researchers and paid $43,000 for each of the top two bugs, with over $130,000 awarded overall. Updates are available for Chrome 148.0.7778.216/217 (Windows), 148.0.7778.215/216 (macOS), and 148.0.7778.215 (Linux).

Top Threat Actors Reported in Last 24 hours

ShinyHunters

ShinyHunters, an extortion-focused cybercriminal group, is suspected to operate internationally with a primary motive of data theft and monetization. ShinyHunters uses social engineering to access accounts and exfiltrate personal data from targeted organizations. ShinyHunters targeted Carnival Corporation, focusing on the cruise industry and its passenger data. ShinyHunters’ campaign resulted in the theft of names, emails, dates of birth, and Mariner Society details from nearly 6 million individuals. Carnival is offering a 24-month TransUnion credit-monitoring package to affected individuals and warns of ongoing phishing risks.